Phones are a central part of school life for staff, from safeguarding queries to IT troubleshooting. For many staff, answering calls and helping with quick queries is instinctive. However, as voice phishing, or vishing, becomes more common and difficult to detect, educators must rethink how phone-based requests are handled within schools.
Unlike email phishing, vishing leverages urgency, tone, and a human voice to bypass caution. It often sounds legitimate because it's designed to. The attackers rely solely on our instincts as humans: to trust, help, and act quickly.
This is where leadership and governance have key responsibilities. Establishing a culture where phone-based verification is expected, not exceptional, helps every staff member feel confident, cautious, and empowered. And just like with emails, it's not about blame - it's about building habits that protect students, staff and their data.
So, how can you, as a senior leader or governor, make sure your school community is equipped to spot vishing attempts and respond appropriately? In this blog, we'll explore key behaviours, reference high-profile breaches, and introduce a simple mental model to help schools foster a culture of mindful verifying.
The concept "zero trust, never trust, always verify" is often applied to systems and networks, but should also apply to human interactions over the phone. Just because a voice sounds familiar doesn't mean it should be trusted without verification.
School leadership teams should model this approach. Suppose someone calls with a request for login credentials, admin rights, or a change to digital services. In that case, leaders should demonstrate that it's entirely appropriate and encourages to pause, question, and verify.
Whether it's a third-party support call or a supposed message from a senior colleague, senior leadership teams must show that asking to call back via an official route is not obstructive; it's protective. This behaviour, when modelled consistently, becomes normalised across the school.
Early this year, two major vishing-related attacks reinforced the point that even organisations with advanced defences can be vulnerable when trust is exploited.
Marks & Spencer suffered a serious breach when attackers impersonated staff to request password resets over the phone. Once access was granted, ransomware crippled systems, halting online orders and exposing sensitive data. The attackers didn't hack M&S; they used social engineering, with some reports suggesting vishing was used.
The second organisation to be hit by a major cyber attack was Cisco. Cisco are a global technology company best known for providing the internet infrastructure and network systems used by large organisations (including education providers). They experiences a seperate voice-based breach when a scammer used social engineering to access internal systems. The attacker persuaded a staff member to share access to credentials over the phone, leading to the exposure of personal data. Again, this wasn't a technical failure; it was human manipulation.
What can we learn from these attacks? Well, if not one but two multi-million pound companies with security teams can fall for convincing voice scams, so can anyone - especially staff in high-pressure school environments.
Just as schools promote cautious clicking, leadership teams must also promote cautious compliance over the phone. A simple way to do this is to embed a standard mental checklist for any phone request related to access, login, or data.
We recommend a simple, memorable process, like our 'STOP' vishing poster. By embedding 'STOP' as a shared staff habit, in the same way safeguarding questions are normalised, schools can reduce impulsive responses and reinforce a culture where careful checking is standard.
With school staff constantly multitasking and under time pressure, it creates the perfect environment for vishing to thrive in. This makes it vital to reassure all school staff that pausing isn't a failure to help, it's how to help safely and securely.
Therefore, governors and SLTs should encourage staff to escalate suspicious or unusual requests, even if the caller seems legitimate. As well as, openly discussing real-world examples during staff briefings and training, showing that it can happen to anyone, anywhere.
It’s also advisable to include vishing in cybersecurity awareness training and incident response planning where possible. Staff should feel confident reporting incidents without fear of blame.
Just as senior leadership teams may already remind staff to "think before you click" for safe email practice, introduce language like "pause before you pass information" when it comes to phone requests. Consider:
Visual reminders: Posters for staff areas, like our 'STOP' vishing poster.
Internal comms: Weekly bulletins or briefings with short tips and real case studies.
These nudges reinforce awareness without needing formal training sessions, helping to keep the issue alive and relatable.
School staff shouldn't be criticised for double-checking requests, especially concerning pupil data, system access, or passwords. On the contrary, verification should be praised and normalised.
Just as there is no blame for someone being cautious in safeguarding, staff shouldn't be shamed for being careful in cybersecurity. If your school already encourages thoughtful email practices, take the next step: extend that same care to phone calls and voice-based requests.
Click here to download the 'STOP' vishing poster for free.